--- title: "Singapore PDPA Data Intermediaries FAQ" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/data-intermediaries" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/data-intermediaries" author: "Sorena AI" description: "FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA data intermediary" - "PDPA organisation accountability" - "PDPA vendor contract" - "PDPA protection retention breach notification" - "Singapore PDPA" - "Data intermediaries" - "Personal data" - "Vendor management" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Data Intermediaries FAQ FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. *FAQ* *Singapore PDPA* *Data Intermediaries* ## Singapore PDPA Data Intermediaries FAQ A data intermediary is not just any vendor. Under the Singapore PDPA, the classification turns on whether the party processes personal data on behalf of another organisation and for that organisation's purposes. Use this FAQ to separate organisation and data intermediary roles, assign direct PDPA duties, write contract controls, and set breach escalation evidence. This Singapore PDPA FAQ explains how implementation teams should classify data intermediaries, what duties remain with the organisation, what direct duties apply to the intermediary, and what records to keep when personal data is outsourced for processing. ## When is a vendor a data intermediary under the Singapore PDPA? A vendor is a data intermediary when it processes personal data on behalf of another organisation and for that organisation's purposes under a contract that is made or evidenced in writing. The label in the contract helps, but the role follows the actual processing arrangement: who decides the purpose, who controls the permitted use, and whether the vendor is acting within that scope. Treat the same company role-by-role. A payroll provider may be a data intermediary for customer payroll processing while still acting as an organisation for its own employee records, recruitment, billing, security logs, and marketing activities. - Record the processing purpose, the organisation that decides that purpose, and the personal-data categories handled by the vendor. - Mark the vendor as outside the data intermediary role for any use or disclosure beyond the customer's remit, because that activity can make the vendor responsible as an organisation for that processing. - Do not route access, correction, consent, notification, or transfer decisions to the intermediary unless the contract gives it an operational support role; the organisation remains responsible for those PDPA duties. Sources for this answer: - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the role test for data intermediaries, including processing on behalf of another organisation and the possibility that one company can hold different PDPA roles for different processing activities. - [PDPC: The Distinction between Organisations and Data Intermediaries and Why It Matters](https://www.pdpc.gov.sg/the-distinction-between-organisations-and-data-intermediaries-and-why-it-matters?ref=sorena.io) - Supports the practical distinction between an organisation deciding purposes and means and a data intermediary handling data under the organisation's instructions. ## What direct PDPA obligations apply to a data intermediary? For personal data processed on behalf of and for the purposes of another organisation under a written or evidenced contract, a Singapore PDPA data intermediary is directly subject to the Protection Obligation, the Retention Limitation Obligation, and the obligation to notify the organisation of a data breach without undue delay once it has credible grounds to believe a breach occurred. That limited direct obligation set does not remove the organisation's accountability. The organisation has the same PDPA obligations for personal data processed by its intermediary as if the organisation processed the data itself. - Protection: require and evidence reasonable security arrangements for the personal data in the intermediary's possession or control. - Retention limitation: require the intermediary to cease retaining personal data or de-identify it when the contracted processing purpose and any legal or business need no longer require retention. - Breach escalation: require immediate internal escalation to the organisation so the organisation can contain, assess, and decide any PDPC or affected-individual notification steps. Sources for this answer: - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the direct data intermediary obligations for protection, retention limitation, and breach notification to the engaging organisation. - [PDPC: The Distinction between Organisations and Data Intermediaries and Why It Matters](https://www.pdpc.gov.sg/the-distinction-between-organisations-and-data-intermediaries-and-why-it-matters?ref=sorena.io) - Supports explaining why consumer-facing obligations generally sit with the organisation, while protection and retention duties also apply to intermediaries. ## How should the organisation manage data intermediary contracts and evidence? Use the contract as the main control surface. PDPC guidance describes the contract as the primary way for the organisation to ensure appropriate protection and retention by the data intermediary, and the Guide to Managing Data Intermediaries says the scope of outsourced processing should be clearly defined and agreed. The contract evidence should be operational, not just legal. Keep the processing schedule, security requirements, retention and deletion rules, subcontracting limits, breach reporting route, onboarding material, review meeting records, audit or check results where used, and exit-management evidence. - Define the personal data, permitted purposes, processing operations, locations, systems, and any subcontracting approval requirement. - Require the intermediary to impose equivalent processing obligations on approved subcontractors where subcontracting is allowed. - Keep vendor evidence that the grounding supports: protection policies and practices, relevant industry-standard or certification assurances, onboarding records, regular meeting notes, audit or inspection outputs where proportionate, and exit checks for return, deletion, or de-identification. Sources for this answer: - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/help-and-resources/2020/09/guide-to-managing-data-intermediaries?ref=sorena.io) - Supports using written contracts, clearly scoped processing, governance, service management, monitoring, and exit management when outsourcing personal-data processing to data intermediaries. - [PDPC Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data](https://www.pdpc.gov.sg/help-and-resources/2017/10/guide-on-data-protection-clauses-for-agreements-relating-to-the-processing-of-personal-data?ref=sorena.io) - Supports using adapted data protection clauses in service agreements when engaging organisations to process personal data. ## What should happen when a data intermediary discovers a breach? The data intermediary should notify the organisation without undue delay once it has credible grounds to believe a data breach has occurred. The intermediary's job is to escalate fast, preserve facts, support containment, and provide enough information for the organisation to assess whether the breach is notifiable. The organisation remains responsible for assessing whether the breach is notifiable and, where required, notifying the PDPC and affected individuals. A service agreement should therefore specify the breach contact route, incident information to provide, evidence preservation, containment responsibilities, and update cadence. - Capture when the intermediary first had credible grounds, who was notified at the organisation, and what personal data, systems, individuals, and containment steps are known. - Separate intermediary-to-organisation escalation from PDPC or affected-individual notification; the organisation makes the statutory notification assessment. - After closure, retain the chronology, root-cause notes, remediation actions, contractual follow-up, and any updates to the vendor's controls or exit plan. Sources for this answer: - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports the breach response split: data intermediaries notify the organisation, while the organisation assesses notifiability and handles any PDPC or affected-individual notification. - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Supports the rule that the intermediary notifies the organisation without undue delay from credible grounds and does not itself determine statutory notifiability for the organisation. ## Primary sources - [PDPC Advisory Guidelines on Key Concepts in the PDPA](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act?ref=sorena.io) - Primary source for data intermediary definition, limited direct obligations, organisation accountability for intermediary processing, transfer responsibility, and breach escalation to the organisation. - Quote: "processes personal data on behalf of another organisation" - [PDPC Guide to Managing Data Intermediaries](https://www.pdpc.gov.sg/help-and-resources/2020/09/guide-to-managing-data-intermediaries?ref=sorena.io) - Primary implementation guide for contracts, governance, risk assessment, service management, monitoring, onboarding, and exit management in data intermediary relationships. - Quote: "outsourcing data processing activities to data intermediaries" - [PDPC: The Distinction between Organisations and Data Intermediaries and Why It Matters](https://www.pdpc.gov.sg/the-distinction-between-organisations-and-data-intermediaries-and-why-it-matters?ref=sorena.io) - Supports plain-language explanation of organisation versus data intermediary roles and why consumer-facing obligations should be assigned to the organisation. - Quote: "organisations and data intermediaries play very different roles" - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports breach response procedures, including data intermediary notification to the organisation and the organisation's assessment and notification responsibilities. - Quote: "Data intermediaries that process the personal data" ## Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. *Recommended next step* *Placement: after the FAQ answers* ## Turn Singapore PDPA data intermediary controls into vendor work Use this FAQ to classify vendor roles, request contract evidence, and set breach escalation tasks for Singapore PDPA processing arrangements. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Convert data intermediary scope, contract terms, and breach escalation into assigned assessment tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to inspect the PDPC sources behind data intermediary obligations. - [Talk through vendor implementation](/contact.md): Review role classification, contract evidence, and breach routes with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/data-intermediaries